Method and system for the identification and the suppression of executable objects

ABSTRACT

A method for processing Executable Objects, comprising: (a) providing analysis means capable of non-interfering analysis of data packets transmitted on a communication line between a browser and an HTTP server on the web, said communication line being established through a gateway; (b) analyzing the handshake between said browser and said server, to detect a “GET_” command sent by the user and an HTTP code sent in response by said server; (c) when such an HTTP code is detected, analyzing the data packets transmitted by said server to said browser, by: (c.1) providing ordering means to order data packets received in non-sequential order, and to forward them in sequential order to header checking means; (c.2) checking the data packets so as to analyze the contents of the header of the Executable Object, and to identify the resources of the system that it needs to employ; (c.3) transmitting to said gateway data representing the resources of the system that the Executable Object needs to utilize; (c.4) providing data packet suppressing means coupled to said gateway, such that if the resources of the system that the Executable Object needs to utilize are not permitted according to the security policy set by the administrator, at least one data packet belonging to the Executable Object is suppressed, altered or damaged, so as to prevent the execution thereof by the browser.

FIELD OF THE INVENTION

[0001] The present invention relates to the security management ofcomputer networks. More particularly, the invention relates to methodsand systems for preventing the downloading and execution of undesirableExecutable Objects in a workstation of a computer network.

BACKGROUND OF THE INVENTION

[0002] The Internet has developed very much both in respect of itscontents and of the technology employed, since it began a few years ago.In the early days of the Internet, web sites included text only, andafter a while graphics was introduced. As the Internet developed, manycompressed standards, such as pictures, voice and video files, weredeveloped and with them programs used to play them (called “players”).Initially, such files were downloaded to the user's workstation onlyupon his request, and extracted only by the appropriate player, andafter a specific order from the user.

[0003] When, in the natural course of the development of the World WideWeb the search for a way to show nicer, interactive and animated WebPages. began, Sun Microsystems Inc. developed Java—a language thatallows the webmaster to write a program, a list of commands—NetworkExecutables—that will be downloaded to the user workstation without hisknowledge, and executed by his browser at his workstation. Theexecutables are used, e.g., to provide photographic animation and othergraphics on the screen of the web surfer. Such executables have someways approaching the user workstation's resources, which lead to a greatsecurity problem. Although some levels of security were defined in theJava language, it was very soon that a huge security hole was found inthe language.

[0004] Since Java was developed, Microsoft developed ActiveX, which isanother Network Executable format, also downloaded into the workstation.ActiveX has also security problems of the same kind.

[0005] The Internet has been flooded with “Network Executables” whichmay be downloaded—deliberately or without the knowledge of theusers—into workstations within organizations. These codes generallycontain harmless functions. Although usually safe, they may not meet therequired security policy of the organization.

[0006] Once executed, codes may jam the network, cause considerableirreversible damage to the local database, workstations and servers, orresult in unauthorized retrieval of information from theservers/workstations. Such elements may appear on Java applets, ActiveXcomponents, DLLs and other object codes, and their use is increasing atan unparalleled pace. The majority of these small programs aredownloaded into the organization unsolicited and uncontrolled. Theenterprise has no way of knowing about their existence or execution andthere is no system in place for early detection and prevention of thecodes from being executed.

[0007] The security problem was solved partially by the browsermanufacturers which allow the user to disable the use of executables. Ofcourse this is not a reasonable solution, since all the electroniccommerce and advertising are based on the use of executables. Thesecurity problem is much more serious once such an executable canapproach the enterprise servers, databases and other workstations.

[0008] In a copending patent application of the same applicant herein,IL 120420, filed on Mar. 10, 1997, the specification of which isincorporated herein by reference, a method is described and claimed, forselectively preventing the downloading and execution of undesiredExecutable Objects in a computer, which comprises the steps of:

[0009] (a) providing one or more Control Centers, each connected to oneor more gateways, each gateway serving one or more end user computers;

[0010] (b) providing means coupled to each of said gateways, to detectExecutable Objects reaching said gateway, to analyze the header of eachof said Executable Objects, and to determine the resources of thecomputer that the Executable Object needs to utilize;

[0011] (c) providing means coupled to each of said gateways, to storeeach end user computer Security Policy representing the resources, orcombination of resources, that the adminstrator allows or does not allowan Executable Object to utilize within its destination, wherein theSecurity Policy is received from and/or stored in each of said one ormore Control Centers;

[0012] (d) when an Executable Object is detected at the gateway:

[0013] 1. analyzing the header of said Executable Object;

[0014] 2. determining the resources of the computer that the ExecutableObject needs to utilize;

[0015] 3. comparing the resources of the computer that the ExecutableObject needs to utilize with the Security Policy and;

[0016] (i) if the resources of the computer that the Executable Objectneeds to utilize are included in the list of the resources allowed foruse by the Security Policy, allowing the Executable Object to passthrough the gateway and to reach the computer which has initiated itsdownloading; and

[0017] (ii) if the resources of the computer that the Executable Objectneeds to utilize are included in the list of the resources prohibitedfor use by the Security Policy, preventing the Executable Object frompassing through the gateway, thereby preventing it from reaching thecomputer which has initiated its downloading.

[0018] A Control Center (CC) may be a central control unit, e.g., a PCor other computer which is connected to a plurality of gateways, andwhich updates the memory means containing relevant date, e.g., theSecurity Policy. Once the CC is updated, e.g., by the addition of anadditional limitation to the Security Policy, all gateways are updatedat once. The use of the CC to control the operation of the securityelements of the gateways obviates the need (which exists in prior artsystems) to update each gateway every time that a change in policy ismade.

[0019] A LAN (Local Area Network) may be (but is not limited to), e.g.,a network of computers located in an office or building. The LAN istypically connected to outside communications networks, such as theWorld Wide Web, or to more limited LANs, e.g., of a client or supplier,through one or more gateways. The larger the organization, the largerthe number of gateways employed, in order to keep communications at areasonable speed.

[0020] Generally speaking, a LAN can also be made of a plurality ofsmaller LANs, located geographically nearby or far apart, but even ifsmall LANs are found within the same organization, the securityrequirements may vary from one department to the other, and it may benecessary to keep high security levels, including preventing Executablesfrom migrating from one department to the other, even within the sameorganization.

[0021] The means coupled to each of said gateways, to detect ExecutableObjects reaching said gateway, to analyze the header of each of saidExecutable Objects, and to determine the resources of the computer thatthe Executable Object needs to utilize may be of many different types.Typically, the executable object is “trapped” and analyzed at thegateway by listening on the communication line to the TCP/IP protocol,as well as to the object transfer protocols, such as SMTP, HTTP, FTP,etc. Hooking into the communication line and extracting the contents ofthe header of the executable object are steps which are understood bythe skilled person, and which can be effected by means of conventionalprogramming, and they are therefore not described herein in detail, forthe sake of brevity.

[0022] Once the header of the Executable Object (EO) has been analyzed,comparing the resources of the computer that the EO needs to utilizewith the Security Policy can be easily done, e.g., by comparing themwith a look-up table provided to the gateway by the CC, which representsthe Security Policy. Comparison can also be carried out against the datastored in the CC, and in such a case specific memory means and comparingmeans may not be necessary in the gateway. However, speed andperformance considerations will often dictate that such operations becarried out at the gateway itself.

[0023] Prior art solutions provide for the analysis of communicationtaking place via a single port, Port 80, which is the port commonlyemployed for web surfing. However, today it is possible to surf the netthrough ports other than Port 80, while the HTTP server of the user,according to currently available technology, cannot work on a pluralityof ports. Therefore, if more than one user employ a gatewaysimultaneously, prior art systems are ineffective since they are notsuitable for the simultaneous analysis of communication taking place viaother ports.

[0024] Another severe drawback is that a very strong HTTP server isneeded to serve a plurality of users, when operating according to theprior art method.

[0025] The art has so far failed to provide an efficient method forprocessing EOs, which is independent of the port used, and which doesnot require an extraordinarily strong server to be implemented. It istherefore clear that such a solution is needed, particularly in view ofthe ever growing use of the web by many organizations.

SUMMARY OF THE INVENTION

[0026] It is an object of the present invention to provide an efficientmethod for processing Executable Objects which overcomes the aforesaiddrawbacks of prior art systems.

[0027] It is another object of the invention to provide such a methodwhich is easy to implement and which does not require significanthardware changes.

[0028] It is a further object of the invention to provide a method whichpermits to analyze the executables “on the fly”, and does not hinder thedownloading and he operation of harmless executables.

[0029] It is yet another object of the invention to provide apparatusfor carrying out the method of the invention.

[0030] Other advantages and objects of the invention will becomeapparent as the description proceeds.

[0031] The invention is directed, inter alia, to a method for processingExecutable Objects, comprising:

[0032] (a) providing analysis means capable of non-interfering analysisof data packets transmitted on a communication line between a browserand an HTTP server on the web, said communication line being establishedthrough a gateway;

[0033] (b) analyzing the handshake between said browser and said server,to detect a “GET_” command sent by the user and an HTTP code sent inresponse by said server;

[0034] (c) when such an HTTP code is detected, analyzing the datapackets transmitted by said server to said browser, by:

[0035] (1) providing ordering means to order data packets received innon-sequential order, and to forward them in sequential order to headerchecking means;

[0036] (2) checking the data packets so as to analyze the contents ofthe header of the Executable Object, and to identify the resources ofthe system that it needs to employ;

[0037] (3) transmitting to said gateway data representing the resourcesof the system that the Executable Object needs to utilize; and

[0038] (4) providing data packet suppressing means coupled to saidgateway, such that if the resources of the system that the ExecutableObject needs to utilize are not permitted according to the securitypolicy set by the administrator, at least one data packet belonging tothe Executable Object is suppressed, altered or damaged, so as toprevent the execution thereof by the browser.

[0039] According to a preferred embodiment of the invention, the methodfurther comprises identifying the user communicating through thegateway, and the server to which said user is connected, and couplingall activities and analyses to said user. This procedure is needed attimes when more than one user connects through the gatewaysimultaneously. Then, a plurality users connects to a plurality ofservers. Therefore, it is necessary to keep track of the specific userwho has requested a specific Executable Object from a specific server,so as to properly handle packets received at the gateway from anyindividual server.

[0040] In another preferred embodiment of the invention, the methodfurther comprises storing in memory means checksums representingExecutable Objects analyzed, together with values indicative of whetherany such Executable Object complies or not with the Security Policy, andchecking any incoming Executable Object against said stored values,prior or in parallel to analyzing it, whereby to discard any ExecutableObject identified thereby as being non-compliant with the SecurityPolicy, and allowing Executable Objects identified thereby as beingcompliant with the Security Policy to pass the Gateway and reach theuser. As will be apparent to the skilled person, this procedure maystreamline and speedup the analysis of Executable Objects, sinceverifying a checksum is a procedure which is quicker and simpler thanthe full analysis procedure of the EO's header.

BRIEF DESCRIPTION OF THE DRAWINGS

[0041] In the drawings:

[0042]FIG. 1 is a schematic representation of a communication modebetween a browser and an HTTP server on the web, through a gateway,including additional analysis means, according to a preferred embodimentof the invention; and

[0043]FIG. 2 illustrates the situation existing in an analysis meansaccording to one preferred embodiment of the invention, with respect tothe processing of data packets.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

[0044] The method of the invention will now be illustrated withreference to a preferred embodiment thereof. In FIG. 1, a typicalsituation is shown, in which a browser, BR, (running on an end user'scomputer) is connected to the web through a gateway, GW. In FIG. 1 onlyone browser BR is show, for the sake of simplicity, although of coursethe gateway GW is designed to service a plurality of browsers.Similarly, gateway GW is shown to be connected only to one HTTP serveron the web (designated “WEB”), although it can of course be connected toa plurality of servers on the web, and the connection is not apoint-to-point connection.

[0045] According to this preferred embodiment of the invention,analyzing means, L, are provided, which are connected to thecommunication line on the one hand, and to the gateway on the otherhand. Analyzing means L are passive means, only capable of “listening”to the talk carried out on the line, between the browser BR and theserver WEB. L is further capable of sending a signal to gateway GW.

[0046] Data communication between the browser and the HTTP server ismade in small packets, the ensemble of which constitutes an entity,which may or may not be an Executable Object. The packets are notnecessarily transmitted sequentially, and this fact makes it even harderto analyze them. Packets are transmitted from WEB to BR as a result of ahandshake carried out between the browser and the HTTP server. Anexecutable object is downloaded as a result of a message sent by theuser, including the command “GET_”, which command is echoed in thehandshake by the HTTP server which sends in response an HTTP codepreceding the requested EO.

[0047] Thus, according to the invention, the first step in the processof identifying the data being transmitted as a potentially harmfulexecutable object is to analyze the first four bytes being transmittedby the HTTP server (WEB), and to determine whether they contain aresponse to the command “GET_” sent by the user, in the form of an HTTPcode. If they do, the rest of the transmitted string must also beanalyzed to determine whether it contains a Java applet or otherundesirable EO. The way in which the packets are processed will befurther described below.

[0048] If the analyzing means L determine that an Executable Object isinvolved as discussed above, then the header of the EO must be analyzedto check it compliance with the security policy set by the user. Itshould again be emphasized that the analyzing means L only “listen in”,but do not interfere with the transmission of the string.

[0049] The analyzing means comprise different functional elements. Inthe first part, the packets received are stored and orderedsequentially, so that the header thereof can be analyzed. This isschematically shown in FIG. 2, in which the analyzing means L are seento comprise ordering means, OM, which receive the packets as they aretransmitted, orders them and passes them on in the correct order. Forinstance, in the example seen in the figure, six packets are seen tohave been transmitted, in the order 2, 1, 3, 8, 5, 10. Packets 1, 2, 3have been ordered sequentially and sent on to the checker, CH, but sincepacket 4 has not yet been transmitted, the remaining packets (5, 8 and10) are kept in the OM, until they can be released. Packet 5 will bereleased only after packet 4 arrives, and packet 8 only after packets 6and 7 have arrived, and so on. This delay which takes place in the OM,it should once again be emphasized, does not affect the transactionwhich is taking place between the browser BR and the HTTP server, WEB,and all packets are transferred normally, in their non-sequential order.However, the invention takes advantage of the fact that, even if thepackets continue to be transmitted, the EO cannot function if one of thepackets is missing or damaged. Therefore, it is sufficient for thegateway to take care of suppressing or damaging one packet, which thegateway does once it receives a signal from the checker indicating thatthe header of the EO comprises commands which are forbidden according toits security policy. Thus, according to the invention, the transmissionof the data is not disturbed, the analysis of the packets is done in anon-interfering manner, and the transmission is only affected if it isdesired to prevent an EO from running on the end user's computer.Another advantage of the method of the invention is that only datapreceded by a reply to a “GET_” command needs to be analyzed, andfurthermore any string needs to be analyzed only up to the point whereit can be determined that it does not contain an undesirable EO.

[0050] As stated, according to a preferred embodiment of the invention,as stated, if the resources of the computer that the Executable Objectneeds to utilize are included in the list of the resources allowed foruse by the Security Policy, no steps are taken by the system to preventthe Executable Object from passing through the gateway and reaching thecomputer which has initiated its downloading. However, if the resourcesof the computer that the Executable Object needs to utilize are includedin the list of the resources prohibited for use by the Security Policy,steps will be taken to prevent the Executable Object from passingthrough the gateway. Such steps may include, e.g., deleting a packet ofthe EO, or garbling part of it, so as to make it inoperative, etc.

[0051] The invention is not limited to any specific EO. However,according to a preferred embodiment of the invention, it is desirable toanalyze EO's including, inter alia, Java Applets, Active-X, OCX, Win32Executables, DLLs, or the like executable objects. However, as will beapparent to the skilled person, EO's are constantly developed, and theinvention is by no means intended to be limited to the use with specificEOs, and the actual nature of the EO is not of critical importance.

[0052] All the above description of preferred embodiments has beenprovided for the sake of illustration, and is not intended to limit theinvention in any way, except as defined by the claims. Manymodifications may be effected in the invention. For instance, a varietyof Executable Objects can be monitored, different ordering means andanalyzing means can be applied, as well as header analyzing methods, allwithout exceeding the scope of the invention.

1. A method for processing Executable Objects, comprising: (a) providinganalysis means capable of non-interfering analysis of data packetstransmitted on a communication line between a browser and an HTTP serveron the web, said communication line being established through a gateway;(b) analyzing the handshake between said browser and said server, todetect a “GET_” command sent by the user and an HTTP code sent inresponse by said server; (c) when such an HTTP code is detected,analyzing the data packets transmitted by said server to said browser,by: (1) providing ordering means to order data packets received innon-sequential order, and to forward them in sequential order to headerchecking means; (2) checking the data packets so as to analyze thecontents of the header of the Executable Object, and to identify theresources of the system that it needs to employ; (3) transmitting tosaid gateway data representing the resources of the system that theExecutable Object needs to utilize; (4) providing data packetsuppressing means coupled to said gateway, such that if the resources ofthe system that the Executable Object needs to utilize are not permittedaccording to the security policy set by the administrator, at least onedata packet belonging to the Executable Object is suppressed, altered ordamaged, so as to prevent the execution thereof by the browser.
 2. Amethod according to claim 1 , further comprising identifying the usercommunicating through the gateway, and the server to which said user isconnected, and coupling all activities and analyses to said user.
 3. Amethod according to claim 1 or 2 , further comprising storing in memorymeans checksums representing Executable Objects analyzed, together withvalues indicative of whether any such Executable Object complies or notwith the Security Policy, and che king any incoming Executable Objectagainst said stored values, prior to analyzing it, whereby to discardany Executable Object identified thereby as being non-compliant with theSecurity Policy, and allowing Executable Objects identified thereby asbeing compliant with the Security Policy to pass the Gateway and reachthe user.
 4. A method for processing Executable Objects, substantiallyas described and illustrated.